Well we do appreciate you keeping it going, I’m sure it’s very popular (necessary for some of my software).
BTW, I know literally nothing about AppArmor audits, but I can share a tail of audit.log
, was just using vscode in a snap, and have a few other random ones:
type=CRED_REFR msg=audit(1642292552.097:500): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_START msg=audit(1642292552.097:501): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_open grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=SERVICE_START msg=audit(1642292569.237:502): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1642292606.277:503): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_close grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=CRED_DISP msg=audit(1642292606.277:504): pid=3089 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_ACCT msg=audit(1642292606.285:505): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:accounting grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_CMD msg=audit(1642292606.285:506): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='cwd="/home/avery/node-dev/week-6/ReduxToDoChallenge" cmd=7A797070657220696E20636F6465 exe="/usr/bin/sudo" terminal=pts/3 res=success'
type=CRED_REFR msg=audit(1642292606.285:507): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_START msg=audit(1642292606.285:508): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_open grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=SERVICE_STOP msg=audit(1642292630.325:509): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1642292637.681:510): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1642292654.965:511): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:session_close grantors=pam_keyinit,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=CRED_DISP msg=audit(1642292654.965:512): pid=4674 uid=0 auid=10000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_env,pam_gnome_keyring,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=SERVICE_STOP msg=audit(1642292714.990:513): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=snapperd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Not sure if that tells you anything. If you have a sec to go over it, maybe you could tell me what I’m looking for, or point me in the direction of some resources you recommend for learning how to audit these. I’m probably a decent guinea pig.
Thanks
PS: adding snapd is in a guide for setting up MicroOS desktop now (the read-only Silverblue-ish OS) written by none-other than a SUSE employee, so they can’t be THAT bad…